Attack Debris

A Penetration Testing & Network Security Blog

I’ve experienced a bit of trouble of late with both Empire and PoshC2_Python payloads failing to call back to their corresponding Empire and/or PoshC2 listener/server. This brief post detailing the fixes/workarounds I’ve used may be …

Scenario You have recovered Domain User credentials for a domain but have no privileged or interactive access to any targets i.e. no Domain Admin account or any account that is capable of establishing an RDP …

I haven’t seen too much detail around about how to crack Cisco ASA PBKDF2 (Password-Based Key Derivation Function 2) SHA-512 hashes, which I believe have been supported in some ASA versions from as early as March 2016. As …

Kerberos Username Enumeration – Username Wordlists I’ve been having a fair bit of joy with the auxiliary/gather/kerberos_enumusers metasploit module on internal engagements, however you do need to provide the module with a good quality username wordlist or …

Auto-sslscan As I mentioned in the previous post whilst Nessus and Nmap do a reasonable job of enumerating SSL protocols and ciphers I often find myself utilising other 3rd party SSL scanning tools. One I …

I’ve experienced a bit of trouble of late with both Empire and PoshC2_Python payloads failing to call back to their corresponding Empire and/or PoshC2 listener/server. This brief post detailing the fixes/workarounds I’ve used may be helpful to someone else.

I understand the issues are a result of the OpenSSL configuration in Kali Linux (The Kali build used here is up-to-date as of December 2018)

Troubleshooting Empire

I’ll discuss Empire first, the following figure details my setup:

Once our Empire listener is up and running we attempt to run our PowerShell launcher on the victim. It fails silently, we receive no indication of why. However, capturing the session with Wireshark does indicate the source of the problem, namely a Protocol Version issue:

Scenario

You have recovered Domain User credentials for a domain but have no privileged or interactive access to any targets i.e. no Domain Admin account or any account that is capable of establishing an RDP session.

However, it transpired that none of the identified credential sets were privileged e.g. they were not Domain Admin and additionally, none of the accounts were members of the “Remote Desktop Users” group. As a result, no interactive access to any of the target hosts was possible.

A number of different techniques exist to query Active Directory using low privileged accounts (i.e. a domain user) from our non-domain joined pentest laptop and I will discuss a few options for doing this in this post.

The ultimate goal of this enumeration is to:

Enumerate all Domain accounts

Enumerate privileged accounts to target i.e. Domain Admins or members of the Remote Desktop Users group

Enumerate the Domain’s password policy

Enumerate further avenues of attack

Once this enumeration is complete accounts can be subject to further password guessing attempts.

The domain user credentials used in the following examples are username = ops, password = Pa55word

Microsoft Remote Server Administration Tools (RSAT)

Microsoft RSAT is designed to allow administrators to manage Windows Servers from a remote computer. RSAT provides another option for us to enumerate domains from our low privileged, non-connected domain context:

Initially, RSAT proves useful for the enumeration of the remote Window Domain’s password policy. Again, we do this from a runas, /netonly initiated PowerShell session (see PowerView above for details):

Get-ADDefaultDomainPasswordPolicy -Server 192.1685.5.1

We are also able to utilise RSAT from a GUI perspective, again this is initiated via runas:

runas /netonly /user:mydomain\ops mmc

Next we add “Active Directory Users and Computers” via the new mmc console:

Changing the Domain Controller instance to our target:

We are then able to gain a graphical view of the Domain’s user community:

The whole purpose behind this Domain enumeration is to provide us with further and more privileged accounts to target from a password guessing perspective. The retrieval of the Domain’s password policy obviously also complements this exercise.

References:

I haven’t seen too much detail around about how to crack Cisco ASA PBKDF2 (Password-Based Key Derivation Function 2) SHA-512 hashes, which I believe have been supported in some ASA versions from as early as March 2016.

As always the hashes can be recovered from the appropriate Cisco ASA config file.

Here are some examples of how the hashes can appear in the ASA config files. In the examples below all 3 sample hashes can be easily cracked using any respectable word-list:

I’ve been having a fair bit of joy with theauxiliary/gather/kerberos_enumusers metasploit module on internal engagements, however you do need to provide the module with a good quality username wordlist or wordlists.

On a recent engagement, using only the top 50 male and female userlists, I was able to guess 70 domain accounts from a possible 400, and of course several of them were found to be configured with the obligatory easily guessed password.

Most domains I see tend to leverage some form of firstname, surname combination for domain user usernames. For example:

[Firstname].[surname] e.g: JACK.SMITH

[Firstname, First Letter].[Surname] e.g. J.SMITH

To that end I have created some username lists that are likely to identify valid usernames when targeting large Windows domains. The lists are compiled from the top 500 most common firstname and surname as per the United Kingdom’s Office for National Statistics (ONS).

Initially, you will want to run a tool such as Responder which will help you determine the format for usernames within the target environment e.g. L.FOWLER or LIAM.FOWLER. Indeed, I typically conduct this username enumeration exercise whilst Responder is running in the background.

Once the format has been identified and assuming the format is used universally throughout the domain, Kerberos username enumeration can begin.

The username lists I have created can be seen in the table below. I have also included the raw firstnames and surnames lists should you need to create a custom format:

We subsequently run the module. We’re obviously going to have a lot of failures but with no account lockout to worry about it doesn’t matter:

Running “creds” displays all of the successfully enumerated usernames:

The final stage is to leverage the auxiliary/scanner/smb/smb_login msf module to determine if any of our identified accounts are configured with weak passwords:

Obviously, the domain’s account lockout policy should be taken into consideration when attempting to guess passwords. A sensible approach is to attempt a single password at a time, restricting yourself to 2 guesses (system set to lockout after 3 invalid attempts) or 4 guesses (system set to lockout after 5 invalid attempts) against a single account every 30-minutes. 30 minutes is a typical “lockout observation window“.

Handily the auxiliary/scanner/smb/smb_login msf module’s “ABORT_ON_LOCKOUT” option will prevent too much damage being done, as long as it is enabled.

As I mentioned in the previous post whilst Nessus and Nmap do a reasonable job of enumerating SSL protocols and ciphers I often find myself utilising other 3rd party SSL scanning tools. One I find myself turning to on a regular basis is sslscan, I like the output it provides and issues become immediately apparent, although if you prefer using SSL scanning tool X or Y, the auto-sslscan code can be easily amended to cater for your tool of choice.

Auto-sslscan is a python script designed to automate the process of conducting ssl scanning via sslcan. The Auto-sslscan script parses an nmap.xml output file, extracts all SSL services and automatically performs an sslscan of them.

Step 1 – Create a valid nmap .xml file:

Note: Some form of Nmap version scanning must be utilised to create the XML ouput i.e. -sV or -A (In order to determine whether the service is SSL enabled)

Step 2 – Process the Nmap XML file with auto-sslscan.py:

SSL Services:

That’s effectively job done, we now have a list of SSL services if we wish to target them again with another tool:

Nessus and Nmap both do a decent job of enumerating supported SSL protocols and ciphers from remote servers. However, I usually find myself also utilising other 3rd party SSL scanning tools. To that end I wanted an easy way to quickly parse out SSL services to an output file for input into other tools.

Nmap-ssl-parser is a python script designed to query nmap XML output and provide a list of usable ssl services in the format host:port

The nmap-ssl-parser script parses an nmap.xml output file, extracts all SSL services and writes them to a filename of your choice.

Step 1 – Create a valid nmap .xml file:

Note: Some form of Nmap version scanning must be utilised to create the XML ouput i.e. -sV or -A (In order to determine whether the service is SSL enabled)

Step 2 – Parse the nmap .xml file with nmap-ssl-parser.py:

That’s effectively job done, as can be seen below our output file “my_output_file.txt” contains our host:port formatted list ready for importing into any other tool of choice:

Over recent years enumerating valid operating system level user names from up-to-date and well-maintained Windows environments, even from an internal test perspective, has become increasingly unlikely. Where RID cycling once provided us with a full list of domain users from an unauthenticated perspective, this is generally no longer the case.

However, in relation to internal assessments the Kerberos service (88/tcp) still provides us with a happy hunting ground in relation to the ability to enumerate domain account names.

Essentially the username enumeration is leveraged via the following Kerberos error codes:

User Status

Kerberos Error

Present / Enabled

KDC_ERR_PREAUTH_REQUIRED – Additional pre-authentication required

Locked / Disabled

KDC_ERR_CLIENT_REVOKED – Clients credentials have been revoked

Does not exist

KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database

Several good tools, which have been around for some time, have provided us with the ability to leverage these Kerberos responses to identify valid or invalid domain accounts.

Both of the tools I have been leveraging up until now have both been provided by Patrik Karlsson, the first is the standalone Java tool Krbguess, the second being the krb5-enum-users NSE script for nmap.

Like most penetration testers I’m a heavy user of the Metasploit Framework and for years have thought I would like to be able to leverage this functionality from within the framework. For whatever reason it never seems to have been implemented, thus I decided to have a go at implementing it.

Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template the process was actually a lot simpler than I had anticipated.

The new Metasploit auxiliary module can be found in the following location:

auxiliary/gather/kerberos_enumusers

As with the previously discussed Kerberos enumeration tools, 3 values need to be provided:

Domain Name (DOMAIN)

Domain Controller IP (RHOST)

User list (USER_FILE)

The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:

Finally, and thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database and can be retrieved via the ‘creds’ command:

All of the following tools are replicated in the following languages – PowerShell, Perl, Ruby and Python:

Portscanner

ARPscanner

FTP Client

WGET Client

Bind Metasploit Payload

Reverse Metasploit Payload

Why a custom scripting framework?

babel-sf has been created for testing minimal installations, locked down and/or hardened environments e.g.

When the target Operating System has a minimal installation

When the Operating System’s native tools have been removed

When the Operating System’s native tools have been locked down via ACLs, Group Policy or AppLocker

But crucially, you still have access to one or more scripting languages e.g. Python

Its development was also partially driven by my own needs:

Proof of Concept i.e. to demonstrate why access to scripting languages can be bad!

System Administrator “Yeah, users have access to [ruby/perl/python/PowerShell], so what?”

But really Why?

To solve reoccurring problems encountered during my testing:

Having to write your own code to perform a required task (takes time!)

Having to Google for code to (re)use, tweak and/or just to get working (takes time!)

I expect babel-sf to be used when you don’t have any tools or Operating System utilities available e.g.

No telnet

No FTP

No wget

No SSH

No netcat, nmap etc. etc.

In this scenario you simply download babel-sf onto the target box via a short one liner (in whichever scripting language is available to you).

Aims?

babel-sf “aspires” to be identical in each scripting language:

Identical Usage (switches etc.)

Identical Output

Offer an identical ‘Look and Feel’

Functionality?

As it stands, babel-sf provides scripts for the following functions:

1. Portscanner (see examples below)
perl:
python:
ruby:
PowerShell:

2. Arpscanner (see examples below):
perl:
python:
ruby:
PowerShell:

So you get the idea, replicated tools in multiple scripting languages…From now on I’ll just show one example screenshot per utility (but they are all there!)

3. FTP client (crude)
ruby (example):

4. WGET client
perl (example):

5. HTTP Server
PowerShell (example):

6. Bind Metasploit Payload
python (example):

7. Reverse Metasploit Payload
ruby (example):

Initial Download?

Assuming that at least one scripting language is supported on the target system, an initial single line script (which provides wget type functionality) will be run to download babel-sf to the target host.

In practice to download babel-sf to our target system we run the relevant script, for our available programming language. This will have to be typed in manually (but thankfully these scripts short and succinct).

Obviously, if you were located on a closed network you would download from your own host, rather than from github.

Script Uniformity?

The scripts offer uniform functionality to a point, some exceptions are:

Ruby has a socket limit (approx 1024): This limits the maximum number of ports that can be scanned at once

I had to be flexible with the type of metasploit shells included: Whilst, bind and reverse shells are included for each scripting language, one language may provide tcp_shells whlilst another may provide meterpreter shells

Whilst the underlying functionality is similar for all of the different HTTP servers: It proved tricky getting HTTP servers to provide a uniform look/feel:

Arpscanner usage varies a little between languages: The interface switch (e.g. eth0) is not currently supported in all languages

Confessions!

I’m not a coder (if you are a coder, look away now!)

Coding in 4 different languages at the same time is foolhardy!

Bugs / Errors abound

If you don’t like certain aspects, contribute! Make them better!

Testing!

Only limited testing has been conducted

Further testing, testing, testing is required e.g. What versions of Perl, Python, Ruby and PowerShell do the scripts run on?

Babel-sf is not wholly new code by any means; large snipets, small snipets and great ideas have been borrowed from many other open source repositories (hopefully, I’ve remembered to reference them all!):

I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.

However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment. I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.

All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before).

I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement).

Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).

4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut: C:\Windows\System32\rundll32.exe c:\users\test123\desktop\pentest.dll,Control_RunDLL
We now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework 🙂

The fifth BruCON conference was held 26th to 27th of September 2013 in Ghent, Belgium. From the off, the conference had a great feel, its organised by a group of security enthusiasts as a non-profit organisation and they do a great job. From the live classical piano playing in the lounge/rest area where you have you meals; breakfast, lunch and dinner (which are all included in the low price) to the large screen displaying all the recent #BruCON twitter activity it makes for an enjoyable couple of days. The conference was organised into a single (main auditorium) speaker track and 2 hands-on lab tracks in the afternoon. Whilst you’re wholly free to mix and match between the main track and the lab tracks, I focused on the main speaker track (although I did hear that the labs were also excellent!), my vague recollections and highlights can be found below.

HTTP Time bandit – Vaagn Toukharian

The tool is basically a tool to perform resource usage denial of service (DOS) type attacks against layer 7 or as referred to during the talk “HTTP GET flooding with spice”. In essence the tool performs a GET flood but some analysis is done before flooding takes place.

The tool first conducts a spider of the site to determine and collect the transfer times for each resource, the average speed of transfers are calculated. Once complete the resource(s) That have the slowest average transfer time(s) are calculated; effectively CPU intensive resources take longer to respond and this is what we are identifying here. To remove false positives from the returned data set statistics are used to analyse the data and discard resources that have a large degree of variance i.e. non consistent time delays that have another cause e.g. network latency.

The speakers moved on to discuss traditional DDOS defences in the form of load balancing and commercial protection services e.g. cloud based solutions, identifying and fixing resource hogs, apache configuration options and other apache modules advanced mod_security protection

The speakers suggested that Timebandit can be used itself to identify and fix these resource hogs. And went on to state that in an ideal world the tool itself would generate configuration files to protect the system (stating this was unlikely to happen).

The following Apache modification options were discussed:

mod_security – offers simple protections that reduced an unprotected attack (i.e. without the change) with a CPU threshold of 98% down to a CPU load of 0% (with the change applied)

mod_limitpconn – limits the number of downloads

mod_qos – provides resource management options

mod_bwshare – accepts or rejects connections based on previous transactions with a source IP address

mod_evasive – DOS/DDOS protection measures

mod_httpbl – Makes use of project honeypot to gather a list of violators for the blacklist (it was suggested this was good in theory but hadn’t been examined in detail)

Taking the BDSM out of PCI with Open Source – Erin Jacobs and Zack Fasel

As most people who deal with it are only too painfully aware PCI DSS represents the Payment Card Industries, Data Security Standard.

PCI compliance comprises of levels 1-4.

Companies attempt to outsource the problem

Open Source Solutions can be used for everything except external vulnerability scans.

No clear PCI configuration guidelines, very generalised

The speakers have started the “Open PCI project.com”. With the aim to provide open source guidelines which are scalable, contain specific walk throughs and simple deployments via ready-to-go installations / virtual machines.

Although there are 12 PCI issues, the talk was only concerned about those that people are getting wrong, these issues in priority were:

Logging: either not doing it well or spending too much money on it. Splunk whilst an excellent resource is too expensive. How about an open source option?

Log server storage options were discussed “fluentd” was posed as a possible open source option to Splunk.

File Integrity Monitoring: several options were discussed with the best suggested being OSSEC.

Patch Management: it was stated that this probably the hardest thing to address with open source, but chef / puppet were suggested by a member of the audience as possible options.

2 factor authentication: OAUTH a hardware and software solution.

AV – anomaly or ClamAV based or potentially binary white-listing.

CobraDroid – Jake Valletta

CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!).

AppUse was discussed a closed source dynamic analysis tool.

CobraDroid setup:
Setup Android SDK, Download archives from his site, create new AVD (may have missed a stage here, see slides for full details).

CobraDroid runs Android 2.3, provides both Bash and Busybox which offers a much more user friendly testing environment.

CobraDroid Functionality:

The tools SSL validation bypass allows you to man in the middle SSL connections!

Events are processed and analysed, as they happen, without storing large data volumes, enabling live actionable intelligence and rapid response capabilities for threat analysts and decision makers who want to stay ahead of emerging threats and opportunities or in other words “events, lots and lots of events”.

The huge amount and variety of data to tackle is difficult, a common API?

The speaker team have created a high performance scalable Complex Event Processor (CEP), uses streaming technology, follows publisher/subscriber model. Events are all handled in JSON format.

Once the form is submitted It is possible to display a geographic maps showing botnet activity, Zeus activity etc. For example it would be possible to show the biggest botnets in any specific country.

Lightening Talks – Day 1

OWASP JAWS – Purpose: The purpose of the project is to have a workset with runnable java code that shows secure coding practices in a working way. Too many times developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied and end up in production code:

The curious case of 43.0.20.80 – Speaker was trying to determine why one host was always resolving Google.com to a non Google related IP address in China i.e. 43.0.20.80. It turned out that DNS responses were being resolved to IPV6 addresses but interpreted as IPV4 addresses by affected hosts i.e. decoded and always resolving to 43.0.20.80 i.e this address hosted in China.

HTTP2.0 (Speedy) – Google’s implementation accepted as the new standard – makes use of header compression both client and server side. Not pull and request as old implementations but multiple simultaneous conversations – Burp doesn’t work with it! It’s all SSL, Web over UDP as well as TCP.

Day 2

Paint by numbers vs Monet – Russ Gideon

Analysis of APT attacks has shown that an MSF module has been seen in APT attacks 7 of 22 in the CVE PDF exploit discussed, the only change from the default MSF module was that the shellcode changed and obfuscation was added but it was the same basic code in use on the whole.

Once access has been gained: long term back doors established, credential harvesting, lateral movement, mimikatz (can be their own version), PTH toolkit, their own psexec.exe. Dropper installs a service. Remote named pipes for all communications.

The speakers have created a custom psexec module (on GitHub), to hide from forensics, AV etc.

Discussed a black hat group: installed 3 x back doors on each host, used UPX for packing (i.e. old/lame) and self extracting RAR file, they attacked sticky keys (sethc) and magnify for privilege escalation. SYSTEM$ user added and the user was also added to the local admins group, password identified was “qazwsx!#123”

In conclusion they summarised that APT attacks were not highly sophisticated, the groups behind the attacks do not think like pentesters, they think forensically and opportunistically.
Conclusion: pentesters usually have a much different footprint and end goals than those of APT operators / Nation States.

Data Plane Networking – Robert Graham

Apache/Bind should not be exposed to the Internet they were designed for the Internet that existed in the late 90’s and are not robust/ruggedised enough for today’s Internet (I paraphrase here). The speaker suggested using an exokernel i.e every event has its own thread and a virtual network adapter. A more short term solution is to make use of Nginx (as opposed to Apache) and other DNS servers (as opposed to Bind) faster.

Building Custom Android Malware for Pen Testing – Stephan Chenette

Android uses the Dalvik Virtual Machine. Malware defined as anything that breaks the security model without the users knowledge.

Once installed malware will probe for emulator or physical device (won’t trigger if emulator is detected as an end user would not be running an emulator), what type of network connection: wifi,3G etc.

Malware actions i.e. what are they trying to achieve: to make use of premium services that the user is charged for (not until their next bill) or advertising i.e. the client is used as an SMS bot sending texts to a wider user community.

One infection discussed was simply installing a valid application (no Trojan), but the app contains a vulnerability that is exploited only when the victim connects to attackers website.

The majority of malware today is found on 3rd party stores, although some is also found on the Google store.

Summary: Apps can do almost anything; the speaker suggests the fix is not restricting this functionality but in comprehensively reviewing applications’ behaviour and ensuring they conform to their specified security model.

Geolocation of GSM devices – David Perez and Jose Pico

This talk focused on the Geolocaton of GSM (I.e. 2G devices) when there is no access to the phone network. The only thing known about the handset was the IMEI (i.e. the unique device) and IMSI (i.e the unique SIM) and rough location of the device. The scope was to produce a car based/portable solution.

The equipment utilised by the team was a portable fake GSM Base station (USRP1), Omni-directional and directional antennas (to pinpoint the exact location), Software the team used was in the form of Open Base Transceiver Station (OpenBST). All of the equipment needed to provide GPS data, triangulation and a user console.

Initially the team focused on distance estimation based on power measurements, this method failed and was soon discarded.

Time based triangulation could only locate devices plus or minus 500 meters, this was initially deemed to be a fail as it was not accurate enough (the inaccuracy was due to a delay introduced that was dependant on phone make/model/vendor).

This testing is illegal in most countries, however the team stated all testing was conducted in a country where it was legal….

The team did find a solution to the device introduced delays, but whilst results were much better after this problem had been solved, results were still not good enough.

The next issue was that when the team were impersonating the real network, no devices would register with the fake cell (phones didn’t see it), if tests were repeated with commercial BTS they did register why?

Power related issue? No
Beacons wrong? No, they were different between the fake and real cells initially but even after this had been fixed the issue still existed.

No precision of the clock (needs to be very precise) turned out frequency was too high by 900hz (the standard only allows for 45hz deviation) Fixed? Not entirely, devices did finally register to the fake cell but it still wasn’t working properly > the team bought a better clock > this finally solved the issue!

Once registered to the fake cell phones stayed registered for 1.8Km; within the range of the phone. Max distance device registered 15 meters, not enough power….could not beat the power of the real base station. You win this race by manipulating Cell Re-selection Offset (CRO); which is used for roaming between cells.

The final solution involved getting close to target and switching to directional antenna.

Here it was thought that the more power you receive from the target, you are pointing at target? This assumption was wrong, power fluctuated even when antenna was stable; the cause was BTS telling the target device to lower or raise it’s power….this was happening!

Fix = Disabled this mechanism in the OpenBST source code but only once the kit was close enough to move into directional mode…then the team finally had a WIN : )

With this final solution the team were able to pinpoint devices down to 20 metres (in an open field environment), these figures were not quite as good in an urban environment.

With this problem finally solved (after several months of work), the team stated their future work would be to attempt a solution for achieving the same for 3G networks. Whilst the team are limited by the fact that no open source 3G base station implementation exists they are optimistic that it is possible with 3G.